On Fri, Jan 25, 2019 at 10:40 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I mean, it's using an ACE label. That's where Ballot 202 would have > clarified and required more explicit validation of the ACE labels to > address the SHOULD NOT from https://tools.ietf.org/html/rfc3490#section-5 > to > a MUST NOT. > > The CA can perform ToASCII(ToUnicode(label)) == label to validate. > Ballot 202 explicitly required that ToUnicode(label) works (i.e. is valid Punycode). ToASCII() has a number of different parameters and different clients use different parameter values. I don't think the BRs should require that CAs use a specific combination because that would effectively mean that certain clients would not be able to use TLS with IDNs. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy